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OFFICE OF MANAGEMENT AND BUDGET 
WASHINGTON, D.C, 20503 


CIRCULAR NO. A-71 
July 27, 1978 Transmittal Memorandum No. 1 


TO THE HEADS OF EXECUTIVE DEPARTMENTS AND ESTABLISHMENTS 


SUBJECT: Security of Federal automated information systems 


1. Purpose. This Transmittal Memorandum ‘to OMB Circular 
‘No. A-71 dated March 6, 1965 promulgates policy and 
responsibilities for the development and implementation of 
computer security programs by executive branch departments 
and agencies. More specifically, It: 


a. Defines the division of responsibility for computer 
security between line operating agencies and the Department 
of Commerce, the General Services Administration, and the 
Civil Service Commission. 


b. Establishes requirements for the development of 
Management controls to safeguard personal, proprietary and 
other sensitive data in automated systems. 


c. Establishes a requirement for agencies to implement 
a computer security program. and defines a minimum set of 
controls to be incorporated into each agency computer 
security program. ° 


da. Requires the Department of Commerce to develop and 
issue computer security standards and guidelines. 


e. Requires the General Services Administration to 
issue policies and regulations for the physical security of 
computer rooms consistent with standards and guidelines 
issued by the Department of Commerce; assure that agency 
procurement. requests for automated data processing 
equipment, software, and related services include security 
requirements; and assure that all procurements made by ,GSA 
meet the security requirements established by the user 
agency. 


f. Requires the Civil Service Commission to establish 
personnel security policies for Federal personnel associated 
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computer systems, or having access to data ‘in Federal 
‘computer systems. 


2. Background. . Increasing use of computer and 
Communications ‘technology to improve the effectiveness of, 
governmental _programs has introduced a variety of new 
management: problems. Many public concerns have been raised 
in regard to the risks associated with automated processing 
of personal, proprietary or other sensitive data. Problems 
have been encountered in the misuse of computer and 
‘communications technology to perpetrate crime. In other 
cases, inadequate administrative practices along with poorly 
designed computer systems have resulted in improper 
payments, unnecessary purchases or other improper actions. 
The policies and responsibilities for computer security 
established by this Transmittal Memorandum supplement 
policies currently contained in OMB Circular No. A-71. % 


3. Definitions. The following definitions apply for the 
- purposes of this. memorandum: 


a. “Automated decisionmaking systems" are computer 
applications which issue checks, requisition supplies or 
perform similar functions based on programmed criteria, with 
‘Little human intervention. 


b. "Contingency plans" are plans for emergency 
response, back-up operations and post-disaster recovery. 


c. "Security specifications" are a detailed description 
of the safeguards required to. protect.a sensitivé computer 
application. 


a. "Sensitive application" is a computer - application 
which requires a degree of protection because it processes 
sensitive data or because of the risk and magnitude of loss 
or harm that could result from improper operation or 
deliberate manipulation of the application (e.g., automated 
decisionmaking systems). 


e. "Sensitive data" is data which requires a degree of 
- protection due to the risk and magnitude of loss or harm 
‘which could result from inadvertent or deliberate 
disclosure, alteration, or destruction of the data (e.g., 
personal data, proprietary data). 


4, Responsibility of the heads of executive agencies.) The 


head of each executive branch department and agency is 
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_. responsible for assuring an adequate level of security for 
‘all agency data whether processed in-house or commercially. 


This includes responsibility for the establishment of 


~.physical, administrative and technical safeguards required 
to adequately protect personal, proprietary or other 
_ sensitive data not subject to national security regulations, 


as well as national security data. It also includes 
responsibility for assuring that automated processes operate 
effectively and. accurately. In fulfilling this 


~Yesponsibility each agency head shall establish policies and . 
procedures and assign responsibility for the development, 
-implementation, and operation of an agency computer security 
program. The agency's computer security program shall be 
“consistent with all Federal policies, procedures and 


_< standards issued by the Office of Management and Budget, the 


General Services Administration, the Department of Commerce, 

‘and the Civil Service Commission. In consideration of 
problems which have been identified in relation to existing a 
practices, each agency's computer security program shall at 

a minimum: 


. a. Assign responsibility for the security of each 
computer installation operated by the agency, including 
installations operated directly by or on behalf of the 
agency (@.g., government-owned contractor operated 
facilities), to a management official knowledgeable in data 
processing and security matters. 


b. Establish personnel security policies for screening 
. all .individuals participating in the design, operation or 
maintenance of Federal computer systems or having access _to 
data in Federal computer systems. The level of screening 
required by these policies should vary from minimal _checks 
to full background investigations commensurate with the 
sensitivity of the data to be handled and the risk and 
magnitude of loss or harm that could be caused by the 
individual. These policies should be established for 
government and contractor personnel. Personnel security 
. policies for Federal employees shall be consistent with 
policies issued by the Civil Service Commission. 


c. Establish a management control process to assure 
that appropriate administrative, physical and technical 
safeguards are incorporated into all new computer 
applications and significant modifications to existing 
computer applications. This control process should evaluate 
the sensitivity of each application. For sensitive 
applications, particularly those which will process 
sensitive data or which will have a high potential for loss, 


o 
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“such as automated decisionmaking systems, specific controls 
--ghould, at a minimum, include policies and responsibilities 


ce for: 


(1) Defining and approving security specifications 
“prior ‘to programming the applications or changes. The views ; 
and recommendations of the computer user organization, the 
computer installation and the individual responsible for the 


security of the computer installation shall be sought and 


~ -gonsidered prior to the approval of the security 
: epost frcarions for the application. 


. (2) Conducting and approving design reviews and 
-.application systems tests prior to using the systems 
- operationally. .The objective of the design reviews should 


be to ascertain that the proposed design meets the approved 


security specifications. The objective of the system tests 
should be to verify that the planned administrative, . 
physical and technical security requirements are, , 
operationally adequate prior to the use of the system. The 
results of the design review and system test shall be . fully 
documented -and maintained as a part of the official records 


768 the agency. Upon completion of the system test, an 


“official of the agency shall certify that the system meets 
the documented and approved system security specifications, 
-meets all applicable Federal policies, regulations and 
standards, and that the results of the test demonstrate that 
the security provisions are adequate for the application. 


ad. Establish an agency program for conducting periodic 
audits or evaluations and recertifying the adequdcy of the 
security safeguards of each operational sensitive 
application including those which process personal, 
proprietary or other sensitive data, or which have a high 
potential ' for financial loss, such. as automated 
decisionmaking applications. Audits or evaluations are to 
be conducted by an organization independent of the user 


organization and computer facility Inanager. 
- Recertifications should be fully documented and maintained 
as a part of the official documents of the agency. Audits 


or evaluations and recertifications shall be performed at 
time intervals determined by the agency, commensurate with 
the sensitivity of information processed and the risk and 
magnitude of loss or, harm that could result from the 
application operating improperly, but shall be conducted at 
least every three years. 
a 

e. Establish policies and responsibilities to assure 

that apprepriate security requirements are included in - 
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specilications for the acquisition or operation of computer 


“facilities, equipment, software packages, or related 
--gservices, whether procured by the agency or by the General 
~ Services Administration. These requirements shall be 


-reviewed and approved by the management official assigned! 
responsibility... for security of the computer installation to 
.be used. This individual must certify that the security 
-requirements specified are reasonably sufficient for the 
- antended application and that they comply with current 
Federal computer security policies, procedures, standards 
‘and guidelines. | 


£. Assign responsibility for the conduct of periodic 
risk analyses for each computer installation operated by the 
agency, including installations operated directly by or on 
~ behalf of the agency. The objective of this risk analysis 
should: be to provide a measure of the relative 
Vulnerabilities at the installation so that security 
wesources can effectively be distributed to minimize the 
potential loss. A risk analysis shall be performed: 


: (1) Prior to the approval of design specifications 
for new computer installations. 


. (2) Whenever there is a significant change to the 
physical ‘facility, hardware or software at. a computer 
installation. Agency criteria for defining significant 
changes shall be commensurate with the sensitivity of the 
information processed by the installation. 


' (3) At periodic intervals of time established by 
the agency, commensurate with the sensitivity of the 
information processed by the installation, but not to exceed 
five years, if no risk analysis has been performed during 
that -time. 


g. Establish policies and responsibilities to assure 
~ that appropriate contingency plans are developed and 
maintained. The objective of these plans should be to 
provide reasonable continuity of data processing support 
should events occur which prevent normal operations. These 
plans should be reviewed and tested at periodic intervals of 
time commensurate with the risk and magnitude of loss or 
harm which could result from disruption of data processing 
support. ‘ 


5. Responsibility of .the Department of Commerce. The 
Secretary of Commerce shall develop and issue standards and ~ 
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guidelines for. assuring security of automated information. 


~~“. €ach standard shall, at a minimum, identify: ' 


a. Whether the standard is mandatory or voluntary. 


b. Specific implementation actions which agencies are 


“ requixed to take. 


-¢. The time at which implementation is required. 


“ac A.process for monitoring implementation of each 


standard and evaluating its use. 


“ -@,. The procedure for agencies to obtain a waiver to the 
- standard and the conditions or criteria under which it may 
“be granted. 


Ln oe Responsibility of the General Services Administration. 


>The Administrator of General Services shall: 


: a. Issue policies and regulations for the physical 
“gecurity of computer rooms in Federal buildings consistent 
with standards and guidelines issued by the Department of 
- Commerce. 


bd. Assure that agency procurement requests for 


“".eomputers, software packages, and related services include 


~ security requirements which have been certified by a 
responsible agency official. Delegations of procurement 
authority to agencies by the General Services Administration 


ae under mandatory programs, dollar threshold delegations, 


certification programs or other so-called blanket 
delegations shall include - requirements for agency 
specifications and agency certification of security 
requirements. Other delegations. of procurement authority 
shall require specific agency certification of security 
cequirements as a part of the agency request for delegation 
of procurement authority. 

c. Assure that specifications for computer hardware, 
software, related services or the construction of computer 
facilities are consistent with standards and guidelines 
established by the Secretary of Commerce. 


d. Assure that computer equipment, software, computer 
room construction, guard or custodial services, 
telecommunications services, and any other related services 
procured by the General Services Administration meet the 
security requirements established by the user.agency and are 
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consistent with “other applicable policies and standards 
o> assued by OMB, the Civil Service Commission and the 
Department: of Commerce. Computer equipment, software, or 
. related ADP ‘services acquired by the General Services 
. Administration in anticipation of future agency requirements 
e Shall include security safeguards which are consistent with 
-Mandatory standards established by the Secretary of 

- Commerce. 2 : 


7. Responsibility of the Civil Service Commission. The 
Chairman of the Civil Service Commission shall establish 
personnel security policies for Federal personnel associated 
with” ‘the 'désign, operation or maintenance of Federal 

computer -systems, or having access to data in Federal 
computer systems. These policies should emphasize personnel. 

_réquirements to adequately protect personal, proprietary or 
other sensitive data as well as other sensitive applications 
not subject to national security regulations. Requirements 
for personnel checks imposed by these policies should vary 
commensurate with the sensitivity of the data to be handled 
-and the risk and magnitude of loss or harm that could be 
caused by the individual. The checks may range from merely 
normal reemployment screening procedures to full background 
investigations. 


8. Reports. Within 60 days of the issuance of this 
Transmittal Memorandum, the Department of Commerce, General 
Services Administration and Civil Service Commission shall 

Submit to QMB plans and associated resource estimates for 
fulfilling the responsibilities specifically assigned in 
this memorandum. Within 120 days of the issuance of this 
Transmittal Memorandum, each executive branch department and 
agency shall submit to OMB -plans and associated resource 
estimates for implementing a security program consistent 
with the policies specified herein. 


9. Inquiries. Questions regarding this memorandum should 
bé~.addressed to the Information Systems Policy Division 


(202.) 395-4814 i 
IL hte, 


mes T. Mcintyre, Jr. 
Director 
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poral of reco:ds of teniporary value. and (3) com- 
planes with the provisions of seetlons 992-996. 
397—401 of this title aoe the aecakitiens issued 
thereunder, 


(c) Stornge, processtag, and oc pvicing af records. 

Whenever the head of a Federal ayetcy deter- 
mines that substantial economies or lugiessed oper- 
ating efficiency cau be effected thereby dhe shall pra- 
vide for the storege, processing, aid, servicing of 
records that are approprinte therefor’in a records 
center malntatied and cpernited by the Administ ra- 
tor or, when approved by the Aduuniati ator, in such 
A center maiitabieds wad operated die the head of 
auch Federal npeney. 


(d)> Certifications and determinuetions on transferred 
reeerds. 


Any olichi of the Governinen: who ds authortved 
to certl(y t@ facts vo the bists of cosords di bis cus - 
tody, is authorlaed to eertify to feels can the basis 
of records that Dave been brave ferred Bs hinoor dibs 
predecessors (othe Administrates. and may author 
{ee the Admibulstentor to certliy to frctesiid Co mile 
admibiistiallye¢ determiutoations on die bids of reco: ds 
Linnsferred: fo the Ndophadetented, coli. tHinbana ing 
aoy other provisions of baw. 


(e) Safeguards. 

The head of ench Fideral agenes shall establish 
such safegigiids agaipet the ceinoval of loss of ree~ 
ords as he ghodl determune to be oeeegsary amd as 
may be required by regulations of the Admuiniscrator. 
Such safeguatds shall include nuking it known to 
All offictuls ‘nnd emplosevs of the awehey |) that 
no records tn the custedy of the ageney are to be 
alienated of destroyed cxcept ti uccardance with 
the provision: of sectlons Jat 476 wud S78 (BO of 
this tithe, ated (2) the poovits poostided by Inw for 
the umlewhal pemaval oe desc cuic tiga ob records 


(ft) Uniuwful removal, destiu dion, efe. 

The beadiof enets Pedeval apeney stacil aotify the 
Administrater of any aciiual, impending, or threat- 
ened uniawhal removal, defactig, alieration, or de- 
struction of records In the custedy of the agency 
of which he is the head hat shall eciueto bls atten- 
tion, and with the assistaner of ibe saiministrator 
shall ins cate netlon thiough the Attorney General 
for the lecovery of records he know or has reason 
to belicy: have been unlawfully renee from his 
agency, cr fremany other Pederal ageney whose ree- 
ords have been transferred to bis Je.) taustedy, 


(g) Authority of Comptioller Goad 

Nothine tp cecthens 992 306 48i  dOf of this title 
shall be construed as Hnilding (he aulficcity of the 
Comiptrotior General of the Unite Stace. with re- 
spect to presc ibing ae ovation: so sterag forms, and 
procedures, ©: lessening the cespasi ‘hits of cole 
lecUog and ds bursting oMeer. foc reneftion of their 
accounts Cor seltlement by the citer Se ovunting 
Offiee, (Tune 90) 194) cho va ritle 5V) $506, as 
added Bevt. 5. 1990, cli 4a. § @ cdl nb ote & 583, and 
amended Fob 5. 1964. Pub oT shoe 7H Stab do 

AMENDMETia 

1964—8u ues (ad) Pab. bond 2@eb pr vo teles kathortua- 
Yon for Admini (rater te certify fate at base adiabndne 
trative detertat: athlon Dased on ties cerient ge. otuts 
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(uy Acceptance of records for tisterical prose. sation, 
Vhe Admoutsfiotor, whenever it appears to him to 

be tn he public ditere t. aa authomzed--- 

Photo accept for depesit vith the National 
Archives of the Vrite?d States Che recards of any 
Federal agenes or ef the Conscess of the Uneted 
States that are deteuinmied by the Arectiivist te 
have suffeier ib tectesdbor other vabie lo warciart 
their continued paecci vation: Pay the Giifted Stites 
CGovernpie nt, 

oth te cdreet arid: etheet tie transfer co the 
Natlonal Archives of the United States of any 
records of at). Fecers! agpeney that have been In 
existence for more than fifty vears and that ore 
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preservation by fhe Vantted States Govertument 
ualess the head of the ageicy which has custody 
of them shall ceststy oo writtne to the Adminis- 
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DIRECTOR OF CENTRAL INTELLIGENCE DIRECTIVE NO. 1/7' 
CONTROL OF DISSEMINATION OF FOREIGN INTELLIGENCE 


(Effective 18 May 1976) 


Pursuant to Section 102 of the National Security Act of 1947, Executive 
Order 11905 and National Security Council Intelligence Directives, certain con- 
trols on dissemination of foreign intelligence and related material? (hereafte: 
referred to as foreign intelligence) are hereby established and promulgated, 


i. Purpose 


This directive establishes certain common controls and procedures for the 
use and dissemination of foreign intelligence to ensure that, while facilitating 
the interchange of information for intelligence purposes, there will be adequate 
protection of foreign intelligence sources and methods. This directive restates 
applicable portions of National Security Council Directive of 17 May 1972 
implementing Executive Order 11652, and prescribes additional controls ap- 
plicable to the US foreign intelligence mission. The policy on release of foreign 
intelligence to contractors is set forth in the Attachment. 


3, Applicability 


‘The controls and procedures set forth in this clirective shall be uniform! 
applied within the Executive Branch of the Government in handling of all ma- 
terials containing foreign intelligence originated by Intelligence Community 
organizations as defined by Section 2(b) of Exeeutive Order 11903. 


3. Natlonal Security Council Directive in WEL SD 


a. National Security Council Directive of 17 May 1972 implementing 
Pxecutive Order 11652 stipulates that, except as otherwise provided bby 
Section 102 of the National Security Act of 1947, classified information or 
material originating in one department shall not be disseminated outside 
any other department to which it has been made available without the 
consent of the originating department. This restriction on dissemination 
is commonly deseribed as the “third agency rule.” 


b. The NSC Directive stipulates that the dissemination of classified 
information, including intelligence and intelligence information, orally, 


This directive supersedes DCID No. 1/7 effective 5 October 1975. 

“Far purposes of this directive, “related material” Includes: information describing US 
fureign intelligence sources and methods, equipment and methodology unique to the ac- 
quisition or exploitation of forelgn intelligence, forelgn military hardware obtained for ex- 
ploitation and photography or recordings resulting from US foreign intelligence collection 
olforts. 


i 
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c. ‘he NSC Directive also states that documents or portions of docu- 
ments containing TOP SECRET information shall not be reproduced with- 
out the consent of the originating office. All other classified material shall 
be reproduced sparingly and any stated prohibition against reproduction 
shall be strictly adhered to, 


d, ‘Ihe NSC Directive further requires that the marking, “WARNING 
NOTICE-SENSITIVE INTELLIGENCE SOURCES AND METHODS 
INVOLVED,” be prominently displayed on all information and materials 
relating lo sensitive intelligence sources and methods; and, that materials 
so marked will not he disseminated in any manner outside authorized 
channels without the permission of the originating department and an 
assessinent by the senior intelligence official in the disseminating depart- 
ment as to the potential risk to the national security and to the intelligence 
sources and methods involved.* For special purposes, primarily bibliographic 
notation, cormmunications or automatic data processing, this marking may 
be abbreviated WNINTEL. 


4. Advance authorization 


a. To facilitate the dissemination and different uses made of classified 
foreign intelligence within and among Intelligence Community organiza- 
tions and to assure the timely provision of intelligence to consumers and 
to handle the volume of such materials in a practical way, it is necessary 
to provide controlled relief to the “third agency rule” within the Intelligence ( 
Community in addition to that provided hy Section 102 of the National 
Security Act of 1947. Accordingly, Intelligence Community organizations 
have been given advance authorization lu use each other's classified foreign 
intelligence in their respective intelligence documents, publications or other 
information media, and to disseminate their products to third agencies or 
foreign fovernments,* subject to limitations and procedures prescribed in 
this directive. 


b. Classified foreign intelligence documents, even though they bear, 
no control markings, will not be released in their original form to third 
agencies or foreign governments without permission of the originator. In- 
formation contained in classified foreign intelligence documents of another 
organization may be extracted or paraphrased and used by the recipient 
Intelligence Community organization in classified foreign intelligence reports 
and released to third agencies, except as specifically restricted by control 


’ Unless otherwise specified by the Director of Central Intelligence in consultation with 
the National Foreign Intelligence Board or as agreed to between originating and recipient 
agencies, authorized channels include Intelligence Community organizations and within 
each organization (including their contractors and consultants) as determined by the recipient 
senior intellicence official. 

*tExceptiug RESTRICTED DATA and formerly RESTRICTED DATA, which is pro- 
hibited from foreign dissemination under Sections 123 and 144 of Public Law 583, Atonic 
Euesy Act of LO54, as amended. 
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ec. Information contained in classified foreign intelligence documents 
of another organization pot bearing any control markings may be extracted _ 
or paraphrased and used by the recipient Intelligence Community organiza- 
tion in reports disseminated to foreign governments provided: ® 


nent 


(1) No reference is made to the source documents upon which 
the released product is based. 


(2) The source and manner of acquisition of the information ere 
not revealed. 


{3) Foreign release is made through established foreign disclosure. 
channels and procedures. 


d. Any organization disseminating foreign intelligence beyond the 
organizations of the Intelligence Community shall be responsible for en- 
suring that recipient organizations understand and agree to observe the 
restrictions prescribed by this directive and maintain adequate safeguards. 


e. No release of a classified foreign intelligence document, whether 
or not bearing a contro] marking, shall be made to foreign nationals and 
immigrant aliens, including US Government employed, utilized or inte- 
grated foreign nationals and immigrant aliens, without the permission of 
the originating agency. 


5. Aclditional authorized control markings 


a. In addition to the WARNING NOTICE prescribed by NSC Direc- 
tive, any of the following additional markings may be used on foreign in- 
telligence whenever, in the opinion of the originating organization, extraor- 
dinary circumstances related to the intelligence source or method require 
more specific dissemination restrictions. Use of these markings shall be 
limited to foreign intelligence, the disclosure of which, could: compromise 
the status of collaborating foreign governments or officials or otherwise 
seriously damage US relations with foreign governments; subject US 
citizens or others to the possibility of personal danger or incarceration; se- 
riously impair the continuing cooperation of private individuals providing 
foreign intelligence; seriously affect the continuing viability of vital tech- 
nical collection programs; or, result in the possible compromise or loss of 
some unique foreign intelligence source or method. These control markings 
will be individually assigned at the time of preparation of the completed 
document and used in conjunction with classification and other markings. 
required by Executive Order 11652 and the implementing NSC Directive 
anc, unless otherwise indicated in 6a below, carried forward to any new 
format in which that information is incorporated, including oral and visual 
presentations. 


_ SSee footnote 4, paragraph 4a. 
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TROULED BY ORIGINATOR" 


‘this marking shall be used when unique source sensitivity factors, known 
to the originator, require strict compliance with third agency rule procedures, 
in addition to a continuing knowledge and supervision on the part of the 
originator as to the extent to which the original document and information 
contained therein is disseminated. Documents and information bearing this 
inarking will not be disseminated beyond the Headquarters elements of the 
recipient organizations and the information contained therein shall not be 
extracted and incorporated into other reports without the permission of and 
under conditions prescribed hy the originator. (For special purposes, pri- 
marily bibliographic notation, communications and automatic data process- 
ing, this marking may be abbreviated ORCON. ) 


(2) “NFIB DEPARTMENTS ONLY’ 


Voreign intelligence so marked will not be disseminated to organizations 
uot represented on the National Foreign Intelligence Board without the 
permission of the originating agency. Within each National Foreign Intelli- 
gence Board organization dissemination shall be as determined by the re- 
cipient senior intelligence official, and may include organization contractors 
and cous unless specifically prohibited by addition of the “NOT RE. 
LEASABLE TO CONTRACTORS OR CONTRACTOR/CONSULTANTS” 
nnirking ae below. (For special purposes, primarily bibliographic 
notation, communications and automatic data processing, this marking may 
be abbreviated NFIBONLY.) 


(3) “NOT RELEASABLE TO CONTRACTORS OR CONTRACTOR/ 

CONSULTANTS” 

Foreign intelligence so marked shall not be disseminated to contractors 
ur contractor consultants without the permission of the originating agency. 
Uxamples of when this marking may be used include National Intelligence 
Listimates and similar national intelligence reports and other foreign intel- 
ligence, which, if disseminated to consultants or contractors, might seriously 
impair the continuing cooperation of contributing private individuals. This 
restriction shall not apply to those consultants hired under Civil Service 
Commission procedures, or comparable procedures derived from authorities 
vested in heads of organizations by law, and who are normally considered 
un extension of the office by which they are employed. In applying this 
control marking, originators will give consideration to the need of Intelli- 
geace Comraunily organizations to use contractor consultants and contractors 
to perform services which cannot be adequately performed by US Govern- 
ment persoanel. (For special purposes, primarily bibliographic notation, 
communications and automatie data processing, this marking n may be ab- 
breviated NOCONTRACT.) 


(4) “CAUTION..-PROPRIETARY INFORMATION INVOLVED” 


Vhis marking, will be used in conjunction with forcign intelligence ob- 
tained from various sources in the US private business sector, and as the in- 
Jormation imay bear upon proprietary interests of the source, or nay 


4 
Approved For Release 2006/04/19 : CIA-RDP86-00674R000300080023-4 


ULARIWISE DE TSG LO LEE OU LICe & CECLERIEIC Ub. ALOULPRCURLS UE SOP Pe E, 
this marking shall take every reasonable precaution to ensure that the infor- 

Approved Futimelease 2eddoaies'cicinerppabeoesraRddseneosegzayy be used 
in conjunction with the “NOT RELEASABLE TO CONTRACTORS OR 
CONTRACTOR/CONSULTANTS” marking described above. (For special 
purposes, primarily bibliographic notation, communications and automatic 
data processing, this marking may be abbreviated PROPIN. ) 


(5) “NOT RELEASABLE TO FOREIGN NATIONALS” 


¥oreign intelligence so marked involves special considerations requiring © 
that it not be released in any form to foreign governments, foreign nationals 
or non-U§ citizens without the permission of the originating agency. Ex- 
amples of when this control marking may be used include: the possible 
compromise of the status of relations with collaborating foreign governments, 
or officials; or jeopardizing the continuing viability of vital technical col- 
lection programs, (For special purposes, primarily bibliographic notation, 
communications and automatic data processing, this marking may be ap- 
breviated NOFORN.) When the originating agency predetermines that in- 
formation can be released to a specified foreign government(s), the following 
marking may be used: “THIS INFORMATION HAS BEEN AUTHORIZED 
FOR RELEASE TO (specified country(s)).” (For special purposes, pri- 
marily bibliographic notation, communications and automatic data process- 
ing, this marking may be abbreviated “REL (specified country(s).”) 


6. Procedures governing use of control markings 


a. Any recipient desiring to use foreigu intelligence in a manner con- 
trary to the restrictions established by the control markings set forth above 
shall obtain the permission of the originating agency. Such permissioi applies 
only to the specific purpose agreed to by the originator and does not auto- 
matically apply to all recipients of the information as originally dissemi- 
nated unless the originating agency removes the control markings for the 
benefit of the recipients. In those cases where dissemination outside the 
recipient agency is desired utilizing lesser or no control markings, the re- 
cipient agency should prepare a sanitized version which may be released 
with the originator’s permission. 


b. Control markings authorized in paragraphs 3d and 5 above, shali be 
displayed prominently on documents, incorporated in the text of communi- 
cation messages, and associated with data stored or processed in automatic 
data processing systems. Unless the entire document justifies the protection 
of the control marking(s), each portion requiring the marking(s)} shall, to 
the extent feasible, be marked with the appropriate marking abbreviation 
authorized by this directive. 


¢. The standardized restrictions anf control markings set forth in this 
directive are to be employed uniformly by all organizations in the Intelli- 
yence Community, thereby assuring like control and restrictions on the use 
of foreign intelligence disseminated within the organizations represented on 
the National Foreign Intelligence Board. 
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d. ‘Phe substance of this directive shail be published in appropriate 
regulatory or notice media of each organization, together with appropriate 
DT yes pRevel Pr Redeaed 2de7ean4® : CMAUAEtES ODETaRG0N EONS 23-4 P 
of intelligence and information. For this purpose, each Intelligence Com- ( 
Ja munity organization will designate a primary referent. 


7. Report of unauthorized disclosure 


Violations of the foregoing restrictions and control markings that result in 
unanthorized disclosure by one agency of the foreign intelligence of another shall 
be reported to the Director of Central Intelligence through the DCI Security 
Cornmittee. 


8. Prior restrictions and markings 


Questions with respect to the current application of control markings au- ©. i” - 
thorized by earlier directives on the dissemination and control of intelligence © ~~ * 
and utilized on documents issued prior to the date of this directive should be re- 
ferred to the originating agency. These markings are: WARNING NOTICE- 
SENSITIVE SOURCES AND METHODS INVOLVED, CONTROLLED DIs- 

SEM, NSC PARTICIPATING AGENCIES ONLY, INTEL COMPONENTS 
ONLY, LIMITED, CONTINUED CONTROL, NO DISSEM ABROAD, BACK- 
GROUND USE ONLY and NO FOREIGN DISSEM. ' 


George Bush 
Director of Central Intelligence 


— 


ij 
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DIRECTOR OF CENTRAL INTELLIGENCE DIRECTIVE NO. 1/7 


(Attachment ) 


DCI POLICY ON RELEASE OF 
FOREIGN INTELLIGENCE TO CONTRACTORS ' 


1. In order that the Intelligence Community agencies may more effectively 
discharge their responsibilities and without Intent to limit such broader authority 
or responsibility as any may now have under law, NSC Directive or special 
agreements among them, selected intelligence? may be made available by 
recipient officials of the Intelligence Community agencies or their designated 
subordinates to certain contractors without referral to the originating agency, 
provided that: 


su, Release® shall be limited to private individuals (including con- 
sultants) or organizations certified by the Senior Intelligence Office of the 
sponsoring Intelligence Community agency as being under contract to the 
United States Government for the purpose of performing classified services 


1"General policy is set forth in DCID No. 1/7, ‘Control of Dissemination of Foreign Intel- 
ligence,’ effective 18 May 1976. In accordance with paragraph 5a(3) of DCID 1/7, the In- 
telligence Community agencies agree that government-owned, contractor-operated laboratories 
performing classified services in support of the intelligence mission of the Energy Research 
anc Development Administration, which are designated authorized channels by the ERDA 
Senior Intelligence Officer, are not considered contractors for the purposes of this policy 
stalement.” 


2 This directive deals solely with foreign intelligence, which for purposes of this directive, 
is defined as information reports and intelligence produced and disseminated by CIA, INR/ 
State, DLA, NSA, ACSI/Army, Naval Intelligence Command, ACSI/Air Force, ERDA and 
the military commands. This specifically excludes Foreign Service reporting and Sensitive 
Coupartmented Information* (SCI). Permission to release Foreign Service reporting inust be 
obtained from the Department of State, and permission to release SCI must be obtained from 
its originator. SCI 1s covered specifically by paragraph 3 of thls dfrective, in that it bears one 
or more codewords or special instructions which dictate handling in special dissevnination 
channels. 


*The term “Sensitive Compartmented Information” as used in this directive is intended 
to include ali information and materials bearing special community controls indicating restricted 
handling within present and future comninity intelligence collection programs and thelr 
cud products for which community systems of compartmentation have been or will be formally 
established. ‘Che term does not inchide RESTRICTED DATA as defined in Section B, Public 
Law 585, Atomic Energy Act of 1954, as amended. 


3 Release is the visual, oral or physical disclosure of classified intelligence material. 
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in support of the mission of a member agency,’ his department or service, 
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b. The responsibility for ensuring that releases to contractors are made 
pursuant to this policy statement shall rest with the Senior Intelligence 
Officer of the sponsoring member agency (ic. the chief of the intelligence 
component seeking release on his own behalf or on behalf of a component 
within his department or service) or his designee.’ 


c. The agency releasing the intelligence material shall maintain a record 
of the material releascd and shall upon request report such releases to the 
originating agency. 


d. Intelligence material released to a contractor does not become the 
property of the contractor and can be withdrawn from him at any time. 
~ Upon completion of the contract, the releasing agency shall assure that all 
intelligence materials released under authority of this agreement and all 
other materiuls of any kind incorporating data from such intelligence 
miaterials are returned to the releasing agency for final disposition. 


e. Contractors receiving intelligence material will not release the ma- 
terial (1) to any activity or individual of the contractor's organization not 
directly engaged in providing services under the contract, nor (2) to another 
contractor (including a subcontractor), government agency, private indi- 
vidual or organization without the consent of the releasing agency (which 
shall verify that the second contractor has a need-to-know and meets security 
requirements). 


f. Contcactors will cusure that intelligence material will not be released 
to foreign nationals whether or not they are also consultants, US contractors 
or employees of contractors, and regardless of the level of their security 
clearance, except with the specific permission of the originating agency. 


g. Contractors shall be required to maintain such records as will permit 
them to furnish, on demand, the names of individuals who have had access 
to intelligence materials in their custody. 


h. Contractors may not reproduce any material released without the 
express pernission of the agency having contractual responsibilities. All 
requirements for control and accountability for original documents as indi- ‘ 
cated above shall apply equally to copies made. tne 


2. The following intelligence materials shall not be released to contractors: Pee 


National Intelligence Estimates (NIEs), Special National [atelligence Gone 
jstimates (SNIEs), National Intelligence Analytical Memoranda and Inter- 
agency Inteiligence Memoranda are not releasable and hence shall bear the 


t Non-Intelligence Community government components under contract to fulfill an 
intelligence support: role, may be treated as members of the Intelligence Community rather 
than as contractors. When so treated, it shall be solely for the specific purposes agreed upon, 
and shall in no case include authority to disseminate further intelligence material made available 
ty them. 

5 Releasing agencies are required to delete: a) the CIA seal, b) the phrase “Directorate 
of Operations,” ¢) the place acquired, d) the field number, and e) the source description from 
all CIA Directorate of Operations reports passed to contractors, unless prior approval to release 
such information is obtained from CIA. 


§ 
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NOT RELEASABLE TO CONTRACTORS OR CONTRACTOR/CON- 
SULTANTS stamp. However, information contained therein may be nde 

available, without identification as national intelligence, over the byline 

of the Senior Intelligence Officer of the Intelligence Community agency 
authorizing its release. 


3. The following intelligence materials shall not be released to contractors 
unless special permission has been obtalned from the originator: 


Materials which by reason of sensitivity of content bear special tnarkings, 
such as NOT RELEASABLE TO CONTRACTORS OR CONTRACTOR’ 
CONSULTANTS or CAUTION—PROPRIETARY INFORMATION IN- 
VOLVED contained in DCID 1/7 (effective 18 May 1978) or which 
are marked for handling in special dissemination channels. 


4, Questions woncerning the implementation of this policy and these pro- 
cedures shall be referred for appropriate action to the Security Committee. 
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